SSL_CTX_set_cipher_list(ctx, "STRONG:HIGH:FIPS:@STRENGTH"); -Kyle H
On Thu, May 14, 2009 at 5:46 AM, Folkert van Heusden <folk...@vanheusden.com> wrote: > Ok I added debugging code and it gives me this; > > 27559:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > cipher:s3_srvr.c:1006: > > What does that mean from a configuration point of view? I have the default > openssl package installed and also the cacert.org.pem-file in the correct > place. > > On Thu, May 14, 2009 at 01:58:13PM +0200, Folkert van Heusden wrote: >> ssldump gives me the following information: >> >> belle:/home/folkert# ssldump -a -A -H -k Personal/src/https2http/key.pem -i >> lo >> New TCP connection #1: localhost(33455) <-> localhost(996) >> 1 1 0.0001 (0.0001) C>S SSLv2 compatible client hello >> Version 3.1 >> cipher suites >> Unknown value 0x39 >> Unknown value 0x38 >> Unknown value 0x35 >> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA >> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA >> TLS_RSA_WITH_3DES_EDE_CBC_SHA >> SSL2_CK_3DES >> Unknown value 0x33 >> Unknown value 0x32 >> Unknown value 0x2f >> SSL2_CK_RC2 >> TLS_RSA_WITH_RC4_128_SHA >> TLS_RSA_WITH_RC4_128_MD5 >> SSL2_CK_RC4 >> TLS_DHE_RSA_WITH_DES_CBC_SHA >> TLS_DHE_DSS_WITH_DES_CBC_SHA >> TLS_RSA_WITH_DES_CBC_SHA >> SSL2_CK_DES >> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA >> TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA >> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA >> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >> SSL2_CK_RC2_EXPORT40 >> TLS_RSA_EXPORT_WITH_RC4_40_MD5 >> SSL2_CK_RC4_EXPORT40 >> 1 2 0.0030 (0.0028) S>CV3.1(2) Alert >> level fatal >> value handshake_failure >> 1 0.0031 (0.0001) C>S TCP FIN >> 1 0.0039 (0.0008) S>C TCP FIN >> >> >> On Wed, May 13, 2009 at 06:21:18PM +0200, Folkert van Heusden wrote: >> > Hi, >> > >> > I have an ssl server. Really simple; >> > >> > // init >> > SSL_library_init(); >> > SSL_load_error_strings(); >> > bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); >> > meth = SSLv23_server_method(); >> > ctx = SSL_CTX_new(meth); >> > SSL_CTX_use_certificate_chain_file(ctx, >> > "/home/folkert/Personal/src/server.pem"); >> > >> > // accept >> > socket_h_from = accept(); >> > sbio = BIO_new_socket(socket_h_from, BIO_NOCLOSE); >> > ssl_h_from = SSL_new(server_ctx); >> > SSL_set_bio(ssl_h_from, sbio, sbio); >> > int rc = SSL_accept(ssl_h_from); >> > >> > Now when I connect using telnet -z ssl to that port, the connection is >> > dropped. >> > I did a debug-session with openssl and got this: >> > >> > folk...@belle:~$ openssl s_client -connect localhost:996 -state -debug >> > CONNECTED(00000003) >> > SSL_connect:before/connect initialization >> > write to 0x1923850 [0x1924d40] (118 bytes => 118 (0x76)) >> > 0000 - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00 .t....K... ..9.. >> > 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ >> > 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... >> > 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ >> > 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... >> > 0050 - 00 00 03 02 00 80 ad 40-e1 d0 43 ad a8 5b 4d d5 .......@..c..[m. >> > 0060 - 68 a3 b0 b0 45 38 d8 0d-0d cf 5a 90 bc 3e e3 37 h...E8....Z..>.7 >> > 0070 - 19 71 17 2d 0a 09 .q.-.. >> > SSL_connect:SSLv2/v3 write client hello A >> > read from 0x1923850 [0x192a2a0] (7 bytes => 7 (0x7)) >> > 0000 - 15 03 01 00 02 02 28 ......( >> > SSL3 alert read:fatal:handshake failure >> > SSL_connect:error in SSLv2/v3 read server hello A >> > 32584:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert >> > handshake failure:s23_clnt.c:578: >> > >> > What is it that I'm doing wrong here? >> > >> > Thanks. >> > >> > >> > Folkert van Heusden >> > >> > -- >> > >> > Multitail - gibkaja utilita po sledovaniju log-fajlov i vyvoda >> > kommand. Fil'trovanie, raskra?ivanie, slijanie, vizual'noe sravnenie, >> > i t.d. http://www.vanheusden.com/multitail/ >> > ---------------------------------------------------------------------- >> > Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com >> > ______________________________________________________________________ >> > OpenSSL Project http://www.openssl.org >> > User Support Mailing List openssl-us...@openssl.org >> > Automated List Manager majord...@openssl.org >> >> >> Folkert van Heusden >> >> -- >> >> Multitail - gibkaja utilita po sledovaniju log-fajlov i vyvoda >> kommand. Fil'trovanie, raskra?ivanie, slijanie, vizual'noe sravnenie, >> i t.d. http://www.vanheusden.com/multitail/ >> ---------------------------------------------------------------------- >> Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org > > > Folkert van Heusden > > -- > MultiTail är en flexibel redskap för att fälja logfilar, utför av > commandoer, filtrera, ge färg, sammanfoga, o.s.v. följa. > http://www.vanheusden.com/multitail/ > ---------------------------------------------------------------------- > Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
